Make COOP+COEP do not imply crossOriginIsolated.

ArthurSonzogni · ArthurSonzogni · commit 68d940ce562f · 2020-12-15T02:10:18.000+01:00
The [specification] currently requires [COOP] + [COEP] to give access to crossOriginIsolated capabilities like SharedArrayBuffer. Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support crossOriginIsolated. However the are no strong reasons for them not to enforce COEP (and maybe COOP) when their associated headers are present. It would be great enforcing COEP (and maybe COOP) on all platforms, desptie the lack of crossOriginIsolated capabilities. This patch makes the specification to allow (instead of requiring) platform to set the crossOriginIsolated flag when both COOP and COEP are used. Setting crossOriginIsolated becomes platform dependent. In exchange, we can enforce COEP (and COOP) in a non platform dependent way, without conflicting with the specification about crossOriginIsolated. [Bug]: #6060 [specification]: https://html.spec.whatwg.org/#cross-origin-opener-policies [COOP]: https://html.spec.whatwg.org/#cross-origin-opener-policy [COEP]: https://html.spec.whatwg.org/#coep
diff --git a/source b/source
@@ -8017,7 +8017,7 @@ interface <dfn>DOMStringList</dfn> {
 
   <h4 id="structuredserializeinternal" noexport data-lt="StructuredSerializeInternal"
   abstract-op><dfn>StructuredSerializeInternal</dfn> ( <var>value</var>, <var>forStorage</var> [ ,
-  <var>memory</var> ] )</h4>
+  <var>memory</var> ])</h4>
 
   <p>The <span>StructuredSerializeInternal</span> abstract operation takes as input a JavaScript
   value <var>value</var> and serializes it to a <span data-x="JavaScript
@@ -8088,15 +8088,6 @@ interface <dfn>DOMStringList</dfn> {
        <li><p>Let <var>agentCluster</var> be the <span>surrounding agent</span>'s
        <span>agent cluster</span>.</p></li>
 
-       <li>
-        <p>If <var>agentCluster</var>'s <span>cross-origin isolated</span> is false, then throw a
-        <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p>
-
-        <p class="note">This check is only needed when serializing (and not when deserializing) as
-        <span>cross-origin isolated</span> cannot change over time and a
-        <code>SharedArrayBuffer</code> cannot leave an <span>agent cluster</span>.</p>
-       </li>
-
        <li><p>If <var>forStorage</var> is true, then throw a
        <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p></li>
 
@@ -8513,6 +8504,18 @@ o.myself = o;</code></pre>
      <var>serialized</var>.[[AgentCluster]], then then throw a
      <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p></li>
 
+     <li><p>If <var>targetRealm</var>'s <span
+     data-x="concept-settings-object-cross-origin-isolated-capability"
+     >cross-origin isolated capability</span> is false, then throw
+     <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p>
+
+     <p class="note">This check is only needed when deserializing (and not when serializing) as
+     <span data-x="concept-settings-object-cross-origin-isolated-capability">
+     cross-origin isolated capability</span> cannot change over time and a
+     <code>SharedArrayBuffer</code> cannot leave an <span>agent
+     cluster</span>.</p>
+     </li>
+
      <li><p>Otherwise, set <var>value</var> to a new SharedArrayBuffer object in
      <var>targetRealm</var> whose [[ArrayBufferData]] internal slot value is
      <var>serialized</var>.[[ArrayBufferData]] and whose [[ArrayBufferByteLength]] internal slot
@@ -77984,8 +77987,43 @@ console.assert(iframeWindow.frameElement === null);
   keys</span> to <span data-x="agent cluster">agent clusters</span>). User agents are responsible
   for collecting agent clusters when it is deemed that nothing can access them anymore.</p>
 
-  <p>A <span>browsing context group</span> has a <dfn data-x="bcg cross-origin
-  isolated">cross-origin isolated</dfn> boolean. It is initially false.</p>
+  <p>A <span>browsing context group</span> has a <dfn><var
+  data-x="bcg-cross-origin-isolation">cross-origin-isolation</var></dfn> variable of type
+  <span>cross-origin-isolation</span>. Initially "<code
+  data-x="cross-origin-isolation-none">isolation-none</code>"</p>
+
+  <p>A <dfn>cross-origin-isolation</dfn> type can take 3 possible values: </p>
+  <ul>
+   <li><dfn><code data-x="cross-origin-isolation-none">isolation-none</code></dfn></li>
+   <li><dfn><code data-x="cross-origin-isolation-logical">isolation-logical</code></dfn></li>
+   <li><dfn><code data-x="cross-origin-isolation-concrete">isolation-concrete</code></dfn></li>
+  </ul>
+
+  <div class="note">
+  <p>
+  <code data-x="cross-origin-isolation-logical">isolation-logical</code> and
+  <code data-x="cross-origin-isolation-concrete">isolation-concrete</code> are similar. They are both used
+  for <span>browsing context group</span>, where:
+  </p>
+  <ul>
+   <li><p>Every top-level <span>Document</span> has `<code data-x="">
+   <span data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</span>:
+   <span data-x="coop-same-origin">same-origin</span></code>`</p></li>
+
+   <li><p>Every <span>Document</span> has
+   `<code data-x=""><span>Cross-Origin-Embedder-Policy</span>:
+   <span data-x="coep-require-corp">require-corp</span></code>`</p></li>
+  </ul>
+  <p>
+  On some platforms, it is difficult to provide the security properties required
+  by the <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
+  isolated capability</span>. As a result, only <code
+  data-x="cross-origin-isolation-concrete">isolation-concrete</code> can grant access to the <span
+  data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
+  capability</span>. <code data-x="cross-origin-isolation-concrete">isolation-concrete</code> is
+  used on platform not supporting this capability.
+  </p>
+  </div>
 
   <p>A <span>browsing context group</span> has an associated <dfn>historical agent cluster key
   map</dfn>, which is a <span data-x="ordered map">map</span> of <span
@@ -79645,11 +79683,17 @@ interface <dfn>BarProp</dfn> {
 
      <dt>The <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
      isolated capability</span></dt>
-     <dd><p>Return the logical conjunction of <var>realm</var>'s <span>agent cluster</span>'s
-     <span>cross-origin isolated</span> and whether <var>window</var>'s <span
-     data-x="concept-document-window">associated <code>Document</code></span> is <span>allowed to
-     use</span> the "<code data-x="cross-origin-isolated-feature">cross-origin-isolated</code>"
-     feature.</p></dd>
+     <dd><p>Return the logical conjunction of:</p>
+     <ol>
+       <li><p><var>realm</var>'s <span>agent cluster</span>'s <var
+       data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation</var> is <code
+       data-x="cross-origin-isolation-concrete">isolation-concrete</code></p></li>
+
+       <li><p><span data-x="concept-document-window">associated <code>Document</code></span> is
+       <span>allowed to use</span> the "<code
+       data-x="cross-origin-isolated-feature">cross-origin-isolated</code>" feature.</p>
+     </ol>
+     </dd>
     </dl>
    </li>
 
@@ -80424,8 +80468,9 @@ interface <dfn>BarProp</dfn> {
    a registrable domain suffix of and is not equal to</span> <var>effectiveDomain</var>, then throw
    a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
-   <li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>cross-origin
-   isolated</span> is true, then return.</p></li>
+   <li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s
+   <var data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation</var> is not <code
+   data-x="cross-origin-isolation-none">isolation-none</code> then return.</p></li>
 
    <li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>is
    origin-keyed</span> is true, then return.</p></li>
@@ -80534,17 +80579,16 @@ interface <dfn>BarProp</dfn> {
   and the <code data-x="dom-originAgentCluster">originAgentCluster</code> getter will always return
   true.</p>
 
-  <p class="note">Similarly, <code>Document</code>s in a <span>cross-origin isolated</span>
-  <span>agent cluster</span> are automatically origin-keyed. The `<code
-  data-x="http-origin-agent-cluster">Origin-Agent-Cluster</code>` header might be useful as an
-  additional hint to implementations about resource allocation, since the `<code
+  <p class="note">Similarly, <code>Document</code>s with <span>agent cluster</span>'s
+  <var data-x="agent-cluster-cross-origin-isolation">cross-origin-isolated</var> not <code
+  data-x="cross-origin-isolation-none">isolation-none</code> are automatically origin-isolated. The
+  `<code data-x="http-origin-agent-cluster">Origin-Agent-Cluster</code>` header might be useful as
+  an additional hint to implementations about resource allocation, since the `<code
   data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` and
   `<code>Cross-Origin-Embedder-Policy</code>` headers used to achieve cross-origin isolation are
   more about ensuring that everything in the same address space opts in to being there. But adding
   it would have no additional observable effects on author code.</p>
 
-
-
   <h3>Sandboxing</h3>
 
   <p>A <dfn export>sandboxing flag set</dfn> is a set of zero or more of the following flags, which
@@ -80901,8 +80945,9 @@ interface <dfn>BarProp</dfn> {
    <dd>
     <p>This behaves the same as "<code data-x="coop-same-origin">same-origin</code>", with the
     addition that it sets the (new) <span>top-level browsing context</span>'s <span data-x="tlbc
-    group">group</span>'s <span data-x="bcg cross-origin isolated">cross-origin isolated</span> to
-    true.</p>
+    group">group</span>'s <span data-x="bcg-cross-origin-isolation">cross-origin-isolation</span> to
+    <code data-x="cross-origin-isolation-logical">isolation-logical</code> or <code
+      data-x="cross-origin-isolation-concrete">isolation-concrete</code></p>
 
     <p class="note">"<code data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>" cannot
     be directly set via the `<code
@@ -81311,8 +81356,19 @@ interface <dfn>BarProp</dfn> {
 
    <li><p>If <var>navigationCOOP</var>'s <span data-x="coop-struct-value">value</span> is "<code
    data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>", then set
-   <var>newBrowsingContext</var>'s <span data-x="tlbc group">group</span>'s <span data-x="bcg
-   cross-origin isolated">cross-origin isolated</span> to true.</p></li>
+   <var>newBrowsingContext</var>'s <span data-x="tlbc group">group</span>'s <span
+   data-x="bcg-cross-origin-isolation">cross-origin-isolation</span> to: <code
+   data-x="cross-origin-isolation-logical">isolation-logical</code> or <code
+   data-x="cross-origin-isolation-concrete">isolation-concrete</code>. The one used is
+   platform-specific. </p>
+
+   <p class="note">It is difficult on some platforms to provide the security properties required by
+   the <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
+   capability</span>. Only the <code
+   data-x="cross-origin-isolation-concrete">isolation-concrete</code> might grant access to it.
+   <code data-x="cross-origin-isolation-logical">Isolation-logical</code> won't and is used for the
+   platforms not supporting it.</p>
+   </li>
 
    <li>
     <p>If <var>sandboxFlags</var> is not empty, then:</p>
@@ -86779,9 +86835,11 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
     <p>Contains various <code>Window</code> objects which can potentially reach each other, either
     directly or by using <code data-x="dom-document-domain">document.domain</code>.</p>
 
-    <p>If the encompassing <span>agent cluster</span>'s <span>cross-origin isolated</span> is true,
-    then all the <code>Window</code> objects will be <span>same origin</span>, can reach each other
-    directly, and <code data-x="dom-document-domain">document.domain</code> will no-op.</p>
+    <p>If the encompassing <span>agent cluster</span>'s <span
+    data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation</span> is not <code
+    data-x="cross-origin-isolation-none">isolation-none</code>, then all the <code>Window</code>
+    objects will be <span>same origin</span>, can reach each other directly, and <code
+    data-x="dom-document-domain">document.domain</code> will no-op.</p>
 
     <p class="note">Two <code>Window</code> objects that are <span>same origin</span> can be in
     different <span data-x="similar-origin window agent">similar-origin window agents</span>, for
@@ -86863,8 +86921,10 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
 
   <div w-nodev>
 
-  <p>An <span>agent cluster</span> has an associated <dfn>cross-origin isolated</dfn> (a boolean),
-  which is initially false.</p>
+  <p>An <span>agent cluster</span> has an associated <dfn><var
+  data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation</var></dfn> variable, of type
+  <span>cross-origin-isolation</span>. Initially set to <code
+  data-x="cross-origin-isolation-none">isolation-none</code>.
 
   <p>An <span>agent cluster</span> has an associated <dfn>is origin-keyed</dfn> (a boolean), which
   is initially false.</p>
@@ -86892,8 +86952,10 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
 
    <li><p>Let <var>key</var> be <var>site</var>.</p></li>
 
-   <li><p>If <var>group</var>'s <span data-x="bcg cross-origin isolated">cross-origin
-   isolated</span> is true, then set <var>key</var> to <var>origin</var>.</p></li>
+   <li><p>If <var>group</var>'s <span
+   data-x="bcg-cross-origin-isolation">cross-origin-isolation</span> is not <code
+   data-x="cross-origin-isolation-none">isolation-none</code>, then set <var>key</var> to
+   <var>origin</var>.</p></li>
 
    <li><p>Otherwise, if <var>group</var>'s <span>historical agent cluster key
    map</span>[<var>origin</var>] <span data-x="map exists">exists</span>, then set <var>key</var> to
@@ -86918,8 +86980,9 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
     <ol>
      <li><p>Let <var>agentCluster</var> be a new <span>agent cluster</span>.</p></li>
 
-     <li><p>Set <var>agentCluster</var>'s <span>cross-origin isolated</span> to <var>group</var>'s
-     <span data-x="bcg cross-origin isolated">cross-origin isolated</span>.</p></li>
+     <li><p>Set <var>agentCluster</var>'s <var
+     data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation</var> to <var>group</var>'s
+     <var data-x="bcg-cross-origin-isolation">cross-origin-isolation</var>.</p></li>
 
      <li><p>Set <var>agentCluster</var>'s <span>is origin-keyed</span> to true if <var>key</var>
      equals <var>origin</var>; otherwise false.</p></li>
@@ -87300,8 +87363,9 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
    href="https://github.com/tc39/ecma262/issues/1357">tc39/ecma262#1357</a>.</span></p></li>
 
    <li>
-    <p>If <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin isolated</span> is
-    false, then:</p>
+    <p>If <var>agent</var>'s <span>agent cluster</span>'s <var
+    data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation</var> is <code
+    data-x="cross-origin-isolation-none">isolation-none</code>, then:
 
     <ol>
      <li><p>Let <var>global</var> be <var>realm</var>'s <span data-x="concept-realm-global">global
@@ -99221,8 +99285,11 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
       <p>If <var>worker global scope</var>'s <span
       data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span> is "<code
       data-x="coep-require-corp">require-corp</code>" and <var>is shared</var> is true, then set
-      <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin isolated</span> to
-      true.</p>
+      <var>agent</var>'s <span>agent cluster</span>'s <var
+      data-x="agent-cluster-cross-origin-isolation">cross-origin-isolated</var> to <code
+      data-x="cross-origin-isolation-logical">isolation-logical</code> or <code
+      data-x="cross-origin-isolation-concrete">isolation-concrete</code>. The one chosen is
+      platform-specific.</p>
 
       <p class="XXX">This really ought to be set when the agent cluster is created, which requires a
       redesign of this section.</p>
@@ -99235,8 +99302,8 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
 
      <li><p>Set <var>worker global scope</var>'s <span
      data-x="concept-WorkerGlobalScope-cross-origin-isolated-capability">cross-origin isolated
-     capability</span> to <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin
-     isolated</span>.</p></li>
+     capability</span> to <var>agent</var>'s <span>agent cluster</span>'s <var
+     data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation</var>.</p></li>
 
      <li><p>If <var>is shared</var> is false and <var>owner</var>'s <span
      data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
